nspawn: expose container ipv6 address too

Extend nspawn so it can keep track of one ipv4 and one ipv6 address.
2025-03-19 22:50:17 +03:00 · 2020-12-17 02:21:41 +01:00 · 2020-12-17 02:21:41 +01:00 · deff68e718
commit deff68e718
parent 0e544221c9
3 changed files with 20 additions and 14 deletions
--- a/src/nspawn/nspawn-expose-ports.c
+++ b/src/nspawn/nspawn-expose-ports.c
@ -2,6 +2,7 @@

 #include "sd-netlink.h"

+#include "af-list.h"
 #include "alloc-util.h"
 #include "fd-util.h"
 #include "firewall-util.h"
@ -82,9 +83,9 @@ void expose_port_free_all(ExposePort *p) {
        }
 }

-int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, union in_addr_union *exposed) {
+int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, int af, union in_addr_union *exposed) {
        ExposePort *p;
-        int r, af = AF_INET;
+        int r;

        assert(exposed);

@ -106,19 +107,19 @@ int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, union in_addr_uni
                                      p->container_port,
                                      NULL);
                if (r < 0)
-                        log_warning_errno(r, "Failed to modify firewall: %m");
+                        log_warning_errno(r, "Failed to modify %s firewall: %m", af_to_name(af));
        }

        *exposed = IN_ADDR_NULL;
        return 0;
 }

-int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *l, union in_addr_union *exposed) {
+int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *l, int af, union in_addr_union *exposed) {
        _cleanup_free_ struct local_address *addresses = NULL;
        union in_addr_union new_exposed;
        ExposePort *p;
        bool add;
-        int af = AF_INET, r;
+        int r;

        assert(exposed);

@ -137,7 +138,7 @@ int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *
                addresses[0].scope < RT_SCOPE_LINK;

        if (!add)
-                return expose_port_flush(fw_ctx, l, exposed);
+                return expose_port_flush(fw_ctx, l, af, exposed);

        new_exposed = addresses[0].address;
        if (in_addr_equal(af, exposed, &new_exposed))
@ -160,7 +161,7 @@ int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *
                                      p->container_port,
                                      in_addr_is_null(af, exposed) ? NULL : exposed);
                if (r < 0)
-                        log_warning_errno(r, "Failed to modify firewall: %m");
+                        log_warning_errno(r, "Failed to modify %s firewall: %m", af_to_name(af));
        }

        *exposed = new_exposed;
--- a/src/nspawn/nspawn-expose-ports.h
+++ b/src/nspawn/nspawn-expose-ports.h
@ -23,5 +23,5 @@ int expose_port_parse(ExposePort **l, const char *s);
 int expose_port_watch_rtnl(sd_event *event, int recv_fd, sd_netlink_message_handler_t handler, void *userdata, sd_netlink **ret);
 int expose_port_send_rtnl(int send_fd);

-int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *l, union in_addr_union *exposed);
-int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, union in_addr_union *exposed);
+int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *l, int af, union in_addr_union *exposed);
+int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, int af, union in_addr_union *exposed);
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@ -2471,7 +2471,8 @@ static int setup_kmsg(int kmsg_socket) {
 }

 struct ExposeArgs {
-        union in_addr_union address;
+        union in_addr_union address4;
+        union in_addr_union address6;
        struct FirewallContext *fw_ctx;
 };

@ -2482,7 +2483,8 @@ static int on_address_change(sd_netlink *rtnl, sd_netlink_message *m, void *user
        assert(m);
        assert(args);

-        expose_port_execute(rtnl, &args->fw_ctx, arg_expose_ports, &args->address);
+        expose_port_execute(rtnl, &args->fw_ctx, arg_expose_ports, AF_INET, &args->address4);
+        expose_port_execute(rtnl, &args->fw_ctx, arg_expose_ports, AF_INET6, &args->address6);
        return 0;
 }

@ -4900,7 +4902,8 @@ static int run_container(
                if (r < 0)
                        return r;

-                (void) expose_port_execute(rtnl, &expose_args->fw_ctx, arg_expose_ports, &expose_args->address);
+                (void) expose_port_execute(rtnl, &expose_args->fw_ctx, arg_expose_ports, AF_INET, &expose_args->address4);
+                (void) expose_port_execute(rtnl, &expose_args->fw_ctx, arg_expose_ports, AF_INET6, &expose_args->address6);
        }

        rtnl_socket_pair[0] = safe_close(rtnl_socket_pair[0]);
@ -5027,7 +5030,8 @@ static int run_container(
                return 0; /* finito */
        }

-        expose_port_flush(&expose_args->fw_ctx, arg_expose_ports, &expose_args->address);
+        expose_port_flush(&expose_args->fw_ctx, arg_expose_ports, AF_INET, &expose_args->address4);
+        expose_port_flush(&expose_args->fw_ctx, arg_expose_ports, AF_INET6, &expose_args->address6);

        (void) remove_veth_links(veth_name, arg_network_veth_extra);
        *veth_created = false;
@ -5582,7 +5586,8 @@ finish:
                (void) rm_rf(p, REMOVE_ROOT);
        }

-        expose_port_flush(&fw_ctx, arg_expose_ports, &expose_args.address);
+        expose_port_flush(&fw_ctx, arg_expose_ports, AF_INET,  &expose_args.address4);
+        expose_port_flush(&fw_ctx, arg_expose_ports, AF_INET6, &expose_args.address6);

        if (veth_created)
                (void) remove_veth_links(veth_name, arg_network_veth_extra);